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REMARKS 



Applicant has reviewed the claims and made minor amendments to clarify language and 
correct minor informalities. 

The examiner rejected claims 9, 11, 17-20, 24 and 25 under 35 U.S.C. 112, second 
paragraph as being indefinite. 

Claim 9 positively recites a method step of "communicating ..." Accordingly, this 
rejection of claim 9 is improper. Claim 1 1 has been amended to recite providing the cluster head 
device and the probe devices as a clustered gateway. Claims 17 and 25 have been amended to 
provide antecedent basis for terms used therein. Claim 24 has been amended to recite delivering 
the sampled network traffic by the probes to a clustered head for traffic analysis . In view of the 
above amendments this rejection has been over come. 

The examiner rejected claims 1-25 under 35 U.S.C. (102) as being anticipated by US 
Patent Application 2002/0035683 Al, US Patent Application 2002/0032774 Al and US Patent 
Application 2002/0032880 Al. 

Claims 1-25 are distinguished over the publications. At the outset, Applicant notes that 
the above published applications as well as the instant case are assigned to the same assignee and 
were all subject to an obligation of assignment to the same assignee when the respective 
inventions were first made. 

Claim 1 distinguishes over these publications. Claim 1 calls for a monitoring device . . . 
comprising, a plurality of probe devices that are disposed to collect statistical information on 
packets that are sent between the network and the data center and a cluster head coupled to each 
of the plurality of probe devices, the cluster head receiving collected statistical information from 
the probe devices and determining from the collected information whether the data center is 
under a denial of service attack. 

These features are not shown in the publications. The publications describe a gateway 
and data collectors. The gateway and data collectors however do not have the features of a 
plurality of probe devices and a cluster head coupled to each of the plurality of probe devices. In 



Applicant 
Serial No. 
Filed 
Page 



Massimiliano Mm 
10/062,974 
January 31, 2002 
8 of 11 




do Poletto et al. 




ley's Docket No.: 12221-011001 



the publications the data collectors are coupled via a hardened network to a central control 
center. 

Instant claim 3 recites that the cluster head further includes a communication process that 
communicates statistics collected in the probe devices with a control center, and that receives 
queries or instructions from the control center. 

The control center is distinct from the cluster head in the instant claims and application 
and that of the publications, and therefore the publications neither describe nor suggest the 
invention of claim 1 or claim 3, at least for the reason that the publications do not have an 
element that is the equivalent to the cluster head. 

Claim 4 further limits the invention to a gateway device that includes a process to install 
filters to thwart denial of service attacks by removing network traffic that is deemed part of an 
attack. 

Claims 5-7 add distinguishing features. For instance claim 6 recites that the probes 
execute a joining process that allows a probe to join a cluster. Claims 8-25 are also distinct for 
similar reasons as in claim 1 . 

Claim 15 is directed to a gateway device including a cluster head and a plurality of 
probes disposed between a network and a victim, the probes collecting statistical data, for 
performance of intelligent traffic analysis and filtering by the probed, to identify malicious traffic 
for thwarting denial of service attacks. These features are not described by the references. 

Claim 17 distinguishes by reciting a monitoring device . . . comprising a device that 
collects statistical information on packets that are sent between the network and the data center 
over a plurality of links and that produces statistical information from network traffic over the 
plurality of links to determine from the statistical information whether the data center is under a 
denial of service attack. 

Claim 22 distinguishes by reciting a method of thwarting denial of service attacks on a 
victim data center by monitoring network traffic over a plurality of links between the victim data 
center and the network and communicating data over a hardened network, to a control center. 

The examiner rejected claims 1, 4, 8-10, 13 and 16 under 35 U.S.C. 101 as same type 
double patenting or alternatively under the judicially created doctrine of obviousness type double 
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patenting over claims 1, 3-4, 6-8, 12-15, 17, and 26-27 of US Patent Application 2002/0035683 
Al. 

Claims 1, 4, 8-10, 13 and 16 do not claim the same invention as claims 1, 3-4, 6-8, 12-15, 
17, and 26-27 of US Patent Application 2002/0035683 AL For instance, claim 8 of the instant 
application recites: 

8. A method of thwarting denial of service attacks on a 
victim data center coupled to a network comprises: 

monitoring network traffic through probes that are disposed 
between the victim data center and the network; and 

communicating data from the probes, over a dedicated 
network, to a cluster head device. 



Claim 1 of the '683 published application recites: 

L A method of thwarting denial of service attacks on a 
victim data center coupled to a network comprises: 

monitoring network traffic through monitors disposed at a 
plurality of points in the network; and 

communicating data from the monitors, over a hardened, 
redundant network, to a central controller. 

Claim 8 of the instant application requires that monitoring occurs through 
probes that are disposed between the victim data center and the network and that 
the probes communicate data to a cluster head device. Claim 1 of the '683 
requires that monitoring has monitors disposed at a plurality of points in the 
network and that the monitors communicate data to a central controller. Thus, 
clearly claims 8 and 1 do not claim the same invention. The monitors are 
disposed in different points, and in one case the monitors communicate with a 
cluster head whereas in the case of claim 1 of the '683 application they 
communicate with the central controller. A central controller is described in both 
applications and is not the same element as a cluster head which is shown in FIG. 
3 of the instant case but is not shown in the '683 application. Similar arguments 
apply for the other claims. 

The rejection of Claims 1, 4, 8-10, 13 and 16 over claims 1, 3-4, 6-8, 12-15, 17, and 26- 
27 of US Patent Application 2002/0035683 Al under judicially created doctrine of obviousness 
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type double patenting rejection is also improper. Again using claim 8 of the instant application 
and claim 1 of the '683 published application, as illustrative, claim 8 of the instant application 
requires that monitoring occurs through probes that are disposed between the victim data center 
and the network and that the probes communicate data to a cluster head device. Claim 1 of the 
'683 application requires that monitoring uses monitors disposed at a plurality of points in the 
network and that the monitors communicate data to a central controller. 

Claims 8 and 1 claim inventions that are non-obvious and patentably distinct from one 
another. The monitors are disposed in different points in the different claims and the probes 
communicate with a cluster head in claim 8 of the instant case, whereas in claim 1 of the c 683 
application they communicate with the central controller. A central controller is described in 
both applications and is not the same element as a cluster head, which is shown in FIG. 3 of the 
instant case but is not shown in the '683 application. Similar arguments apply for the other 
claims. 

Consequently, the double patenting rejection under 35 U.S.C. 101 and the obviousness 
type double patenting rejection are improper. 

Newly added claims 26-32 add distinctive features to their respective dependent claims 
and are allowable at least for that reason. 
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Enclosed is a $63 check for excess claim fees. Please apply any other charges or credits 
to deposit account 06-1050. 

Respectfully submitted, 



Date: ( VT^joj 
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225 Franklin Street 
Boston, MA 02110-2804 
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